sh4d0wup 0.11.0

Signing-key abuse and update exploitation framework
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94

use crate::args;
use crate::errors::*;
use crate::keygen::in_toto::InTotoEmbedded;
use data_encoding::BASE64;
use in_toto::crypto::{self, HashAlgorithm, HashValue, PrivateKey, SignatureScheme};
use in_toto::interchange::Json;
use in_toto::models::{LinkMetadataBuilder, VirtualTargetPath};
use std::collections::HashMap;
use std::fs::File;
use std::io::BufReader;
use std::path::{Path, PathBuf};
use std::str::FromStr;

#[derive(Debug)]
pub struct SigningConfig {
    pub name: String,
    pub materials: Vec<VirtualEntry>,
    pub products: Vec<VirtualEntry>,
}

#[derive(Debug, PartialEq, Eq, Clone)]
pub struct VirtualEntry {
    pub name: String,
    pub path: PathBuf,
}

impl FromStr for VirtualEntry {
    type Err = Error;

    fn from_str(s: &str) -> Result<Self> {
        let (name, path) = s
            .split_once('=')
            .context("Invalid format, expected `name=/path/to/file.txt`")?;
        Ok(VirtualEntry {
            name: name.into(),
            path: path.into(),
        })
    }
}

impl TryFrom<args::SignInToto> for SigningConfig {
    type Error = Error;

    fn try_from(in_toto: args::SignInToto) -> Result<Self> {
        Ok(Self {
            name: in_toto.name,
            materials: in_toto.material,
            products: in_toto.product,
        })
    }
}

pub fn read_artifact(
    name: String,
    path: &Path,
) -> Result<(VirtualTargetPath, HashMap<HashAlgorithm, HashValue>)> {
    let file = File::open(path)?;
    let mut reader = BufReader::new(file);
    let hash_algorithms = &[HashAlgorithm::Sha256];
    let (_length, hashes) = crypto::calculate_hashes(&mut reader, hash_algorithms)?;
    Ok((VirtualTargetPath::new(name)?, hashes))
}

pub fn sign(signer: &InTotoEmbedded, config: &SigningConfig) -> Result<Vec<u8>> {
    let secret_key = BASE64
        .decode(signer.secret_key.trim().as_bytes())
        .context("Failed to decode signing key")?;
    let secret_key = PrivateKey::from_pkcs8(&secret_key, SignatureScheme::Ed25519)
        .context("Failed to load signing key")?;

    let materials = config
        .materials
        .iter()
        .map(|e| read_artifact(e.name.to_string(), &e.path))
        .collect::<Result<_>>()
        .context("Failed to collect materials")?;

    let products = config
        .products
        .iter()
        .map(|e| read_artifact(e.name.to_string(), &e.path))
        .collect::<Result<_>>()
        .context("Failed to collect materials")?;

    let link_metadata_builder = LinkMetadataBuilder::new()
        .name(config.name.to_string())
        .materials(materials)
        .products(products);

    let attestation = link_metadata_builder.signed::<Json>(&secret_key)?;

    let buf = serde_json::to_vec(&attestation)?;
    Ok(buf)
}